Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
K2xdxHSWJK.exe

Overview

General Information

Sample name:K2xdxHSWJK.exe
renamed because original name is a hash value
Original sample name:0244c540d99d3c8507bdc73d5b4646a3.exe
Analysis ID:1431113
MD5:0244c540d99d3c8507bdc73d5b4646a3
SHA1:acb63423f9883dc72c3beab21d711d1c5a0eceed
SHA256:ce8c0c6f213445d5bc40441e171cb112c92bd4192783c06cdd17ba4d851565f8
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • K2xdxHSWJK.exe (PID: 6976 cmdline: "C:\Users\user\Desktop\K2xdxHSWJK.exe" MD5: 0244C540D99D3C8507BDC73D5B4646A3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
K2xdxHSWJK.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1661330299.0000000000672000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: K2xdxHSWJK.exe PID: 6976JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 1 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.K2xdxHSWJK.exe.670000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:04/24/24-15:47:05.454523
                    SID:2046056
                    Source Port:2630
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-15:46:59.850722
                    SID:2046045
                    Source Port:49730
                    Destination Port:2630
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-15:47:12.612545
                    SID:2043231
                    Source Port:49730
                    Destination Port:2630
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/24/24-15:47:00.136127
                    SID:2043234
                    Source Port:2630
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: K2xdxHSWJK.exeMalware Configuration Extractor: RedLine {"C2 url": ["103.113.70.99:2630"], "Bot Id": "spoo", "Authorization Header": "a442868c38da8722ebccd4819def00b2"}
                    Multi AV Scanner detection for submitted file
                    Source: K2xdxHSWJK.exeVirustotal: Detection: 64%Perma Link
                    Source: K2xdxHSWJK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: K2xdxHSWJK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49730 -> 103.113.70.99:2630
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49730 -> 103.113.70.99:2630
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 103.113.70.99:2630 -> 192.168.2.4:49730
                    Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 103.113.70.99:2630 -> 192.168.2.4:49730
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 103.113.70.99:2630
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 103.113.70.99:2630
                    Source: Joe Sandbox ViewIP Address: 103.113.70.99 103.113.70.99
                    Source: Joe Sandbox ViewASN Name: NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.113.70.99
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002D38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002D38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1827787955.0000000003D56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: K2xdxHSWJK.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1827787955.0000000003D56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1827787955.0000000003D56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1827787955.0000000003D56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1827787955.0000000003D56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1827787955.0000000003D56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1827787955.0000000003D56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1827787955.0000000003D56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1827787955.0000000003D56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp58D.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp57C.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_027C25D80_2_027C25D8
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_027CDC740_2_027CDC74
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_04F669480_2_04F66948
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_04F67C200_2_04F67C20
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_04F600400_2_04F60040
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_04F600070_2_04F60007
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_04F67C120_2_04F67C12
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_04F65A430_2_04F65A43
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062BA3E80_2_062BA3E8
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062BA3D80_2_062BA3D8
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B6FEB0_2_062B6FEB
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B6FF80_2_062B6FF8
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B68680_2_062B6868
                    Source: K2xdxHSWJK.exe, 00000000.00000000.1661356321.00000000006B6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUpspearing.exe8 vs K2xdxHSWJK.exe
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1811066017.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs K2xdxHSWJK.exe
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs K2xdxHSWJK.exe
                    Source: K2xdxHSWJK.exeBinary or memory string: OriginalFilenameUpspearing.exe8 vs K2xdxHSWJK.exe
                    Source: K2xdxHSWJK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/5@0/1
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp57C.tmpJump to behavior
                    Source: K2xdxHSWJK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: K2xdxHSWJK.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: K2xdxHSWJK.exeVirustotal: Detection: 64%
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: esdsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                    Source: Google Chrome.lnk.0.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: K2xdxHSWJK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: K2xdxHSWJK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: K2xdxHSWJK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: K2xdxHSWJK.exeStatic PE information: 0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_04F6C403 push ss; retf 0_2_04F6C40A
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_04F6C401 push ss; retf 0_2_04F6C402
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062A1DAE push FFFFFF8Bh; retf 0_2_062A1DB1
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062A1015 push FFFFFF8Bh; ret 0_2_062A101A
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B369F push ebx; retf 0_2_062B36A2
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B3729 push esp; retf 0_2_062B372A
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B3721 push esp; retf 0_2_062B3722
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B3743 push ebp; retf 0_2_062B374A
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B3740 push esi; retf 0_2_062B3742
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B37AF push esp; retf 0_2_062B37B0
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B5400 push ebp; retf 0_2_062B5401
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B35E3 push ebx; retf 0_2_062B35EA
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B35C9 push ebx; retf 0_2_062B35CA
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B4261 pushad ; retf 0_2_062B4262
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B5391 push esp; retf 0_2_062B5392
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062BECF2 push eax; ret 0_2_062BED01
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B3A13 push edi; retf 0_2_062B3A1A
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B3A11 push edi; retf 0_2_062B3A12
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeCode function: 0_2_062B3843 push ebp; retf 0_2_062B3844

                    Persistence and Installation Behavior

                    barindex
                    Installs new ROOT certificates
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeMemory allocated: 27C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeMemory allocated: 29F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWindow / User API: threadDelayed 921Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWindow / User API: threadDelayed 7732Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exe TID: 7116Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exe TID: 7052Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1830307320.00000000063E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Users\user\Desktop\K2xdxHSWJK.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1811210836.0000000000C63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: amFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: K2xdxHSWJK.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.K2xdxHSWJK.exe.670000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1661330299.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: K2xdxHSWJK.exe PID: 6976, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\walletsLRkq`
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRkq
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRkqx
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRkq
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq%appdata%`,kqdC:\Users\user\AppData\Roaming`,kqdC:\Users\user\AppData\Roaming\Binance
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRkqx
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq&%localappdata%\Coinomi\Coinomi\walletsLRkq
                    Source: K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\K2xdxHSWJK.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: K2xdxHSWJK.exe PID: 6976, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: K2xdxHSWJK.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.K2xdxHSWJK.exe.670000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1661330299.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: K2xdxHSWJK.exe PID: 6976, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Obfuscated Files or Information                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Install Root Certificate                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Timestomp                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    K2xdxHSWJK.exe65%VirustotalBrowse

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                    http://tempuri.org/2%VirustotalBrowse
                    http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                    http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                    http://tempuri.org/Entity/Id81%VirustotalBrowse
                    http://tempuri.org/Entity/Id91%VirustotalBrowse
                    http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id41%VirustotalBrowse
                    http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id61%VirustotalBrowse
                    http://tempuri.org/Entity/Id71%VirustotalBrowse
                    http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id51%VirustotalBrowse
                    http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
                    http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id201%VirustotalBrowse
                    http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id221%VirustotalBrowse
                    http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id241%VirustotalBrowse
                    http://tempuri.org/Entity/Id211%VirustotalBrowse
                    http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id24Response1%VirustotalBrowse
                    http://tempuri.org/Entity/Id101%VirustotalBrowse
                    http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id111%VirustotalBrowse
                    http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id16Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id141%VirustotalBrowse
                    http://tempuri.org/Entity/Id131%VirustotalBrowse
                    http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id121%VirustotalBrowse
                    http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id161%VirustotalBrowse
                    http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id231%VirustotalBrowse
                    http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id181%VirustotalBrowse
                    http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id8ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id151%VirustotalBrowse
                    http://tempuri.org/Entity/Id171%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=K2xdxHSWJK.exe, 00000000.00000002.1827787955.0000000003D56000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id14ResponseDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id23ResponseDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002D38000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id12ResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 2%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tempuri.org/K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 2%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tempuri.org/Entity/Id2ResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 2%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id21ResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 4%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id9K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id8K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id6ResponseDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id5K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id4K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id7K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id6K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id19ResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 2%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id13ResponseDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • 1%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/faultK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsatK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id15ResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • 2%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://tempuri.org/Entity/Id5ResponseDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • 2%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id6ResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • 2%, Virustotal, Browse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.ip.sb/ipK2xdxHSWJK.exefalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/scK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id1ResponseDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • 1%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id9ResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 2%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=K2xdxHSWJK.exe, 00000000.00000002.1827787955.0000000003D56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id20K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id21K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id22K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id23K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id24K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • 1%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id24ResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • 1%, Virustotal, Browse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.ecosia.org/newtab/K2xdxHSWJK.exe, 00000000.00000002.1827787955.0000000003D56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id1ResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 2%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id21ResponseDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • 1%, Virustotal, Browse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressingK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trustK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id10K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id11K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id10ResponseDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id12K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id16ResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 2%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id13K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id14K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id15K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id16K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/NonceK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id17K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • 1%, Virustotal, Browse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id18K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • 1%, Virustotal, Browse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id5ResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id19K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id15ResponseDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • 1%, Virustotal, Browse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id10ResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RenewK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id11ResponseDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id8ResponseK2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0K2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id17ResponseDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/soap/envelope/K2xdxHSWJK.exe, 00000000.00000002.1813158732.00000000029F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id8ResponseDK2xdxHSWJK.exe, 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            103.113.70.99
                                                                                                                            		unknownIndia
                                                                                                                            		133973NETCONNECTWIFI-ASNetConnectWifiPvtLtdINtrue

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                            Analysis ID:1431113
                                                                                                                            Start date and time:2024-04-24 15:46:07 +02:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 4m 58s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:6
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:K2xdxHSWJK.exe
                                                                                                                            renamed because original name is a hash value
                                                                                                                            Original Sample Name:0244c540d99d3c8507bdc73d5b4646a3.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/5@0/1
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            • Number of executed functions: 90
                                                                                                                            • Number of non-executed functions: 8
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            15:47:06API Interceptor44x Sleep call for process: K2xdxHSWJK.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            103.113.70.99XHr735qu8v.exeGet hashmaliciousRedLineBrowse
                                                                                                                              gm5v3JlTMk.exeGet hashmaliciousRedLineBrowse
                                                                                                                                o8uKhd6peZ.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  vguZEL1YWf.exeGet hashmaliciousRedLineBrowse
                                                                                                                                    djiwhBMknd.exeGet hashmaliciousRedLineBrowse
                                                                                                                                      ExAXLXWP9K.exeGet hashmaliciousRedLineBrowse
                                                                                                                                        44QHzbqD3m.exeGet hashmaliciousRedLineBrowse
                                                                                                                                          3q1lESMAMh.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            fkmfYBX2c6.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              IcDaW5Yzvb.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASNs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                NETCONNECTWIFI-ASNetConnectWifiPvtLtdINXHr735qu8v.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                gm5v3JlTMk.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                o8uKhd6peZ.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                vguZEL1YWf.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                djiwhBMknd.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                ExAXLXWP9K.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                44QHzbqD3m.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                3q1lESMAMh.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                fkmfYBX2c6.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99
                                                                                                                                                IcDaW5Yzvb.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 103.113.70.99

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\K2xdxHSWJK.exe
                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:32 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2104
                                                                                                                                                Entropy (8bit):3.460533141148193
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:8SHdPTndGRYrnvPdAKRkdAGdAKRFdAKR/U:8S15
                                                                                                                                                MD5:76CE10A3B93236CA68C951B7136A1E2E
                                                                                                                                                SHA1:40CBDDA446A401D6950BCC04F43FDF9A86F10AB0
                                                                                                                                                SHA-256:E3C01E83E60B9DD687928B41F7FBD4634F10A2F2CB954A93CB150F4C0DC4BB2D
                                                                                                                                                SHA-512:AD104A77091859A7EB0D760DC9DF3397307E226FBD8D4293CD70572D5F64AB0D939C04A6DE3357BD8828DF9B8E28662EF8526BC935B11803D9524FC5D5C781BA
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:L..................F.@.. ......,..............q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWQ`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWQ`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWQ`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWI`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\K2xdxHSWJK.exe.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\K2xdxHSWJK.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3274
                                                                                                                                                Entropy (8bit):5.3318368586986695
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                                                                                                                                MD5:0B2E58EF6402AD69025B36C36D16B67F
                                                                                                                                                SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                                                                                                                                SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                                                                                                                                SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                C:\Users\user\AppData\Local\Temp\Tmp57C.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\K2xdxHSWJK.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2662
                                                                                                                                                Entropy (8bit):7.8230547059446645
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\Tmp58D.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\K2xdxHSWJK.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2662
                                                                                                                                                Entropy (8bit):7.8230547059446645
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\K2xdxHSWJK.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2251
                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3::
                                                                                                                                                MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                                                SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                                                SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                                                SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Entropy (8bit):5.055784187241597
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                File name:K2xdxHSWJK.exe
                                                                                                                                                File size:313'439 bytes
                                                                                                                                                MD5:0244c540d99d3c8507bdc73d5b4646a3
                                                                                                                                                SHA1:acb63423f9883dc72c3beab21d711d1c5a0eceed
                                                                                                                                                SHA256:ce8c0c6f213445d5bc40441e171cb112c92bd4192783c06cdd17ba4d851565f8
                                                                                                                                                SHA512:a8260125025e64d473197373f804b7ad025ed4ac7e77482b011ff394d5cfe217a81bae53516e46e1026b0f3207e2967e2d7c3ea4b106b1a4d99090bb66184492
                                                                                                                                                SSDEEP:6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
                                                                                                                                                TLSH:28645C1823EC8911E27F4B7994A1E274D375ED56A452E30F4ED06CAB3E32741FA11AB2
                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:4d8ea38d85a38e6d

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x42b9ae
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:false
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                Time Stamp:0xF0DBE6BE [Sun Jan 19 04:14:54 2098 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                popad
                                                                                                                                                add byte ptr [ebp+00h], dh
                                                                                                                                                je 00007F89C48A04C2h
                                                                                                                                                outsd
                                                                                                                                                add byte ptr [esi+00h], ah
                                                                                                                                                imul eax, dword ptr [eax], 006C006Ch
                                                                                                                                                xor eax, 59007400h
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                push edx
                                                                                                                                                add byte ptr [ecx+00h], dh
                                                                                                                                                popad
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                push esi
                                                                                                                                                add byte ptr [edi+00h], ch
                                                                                                                                                popad
                                                                                                                                                add byte ptr [ebp+00h], ch
                                                                                                                                                push 61006800h
                                                                                                                                                add byte ptr [ebp+00h], ch
                                                                                                                                                dec edx
                                                                                                                                                add byte ptr [eax], bh
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                push edi
                                                                                                                                                add byte ptr [ecx], bh
                                                                                                                                                add byte ptr [ecx+00h], bh
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                xor al, byte ptr [eax]
                                                                                                                                                insb
                                                                                                                                                add byte ptr [eax+00h], bl
                                                                                                                                                pop ecx
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                js 00007F89C48A04C2h
                                                                                                                                                jnc 00007F89C48A04C2h
                                                                                                                                                pop edx
                                                                                                                                                add byte ptr [eax+00h], bl
                                                                                                                                                push ecx
                                                                                                                                                add byte ptr [ebx+00h], cl
                                                                                                                                                popad
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                dec edx
                                                                                                                                                add byte ptr [ebp+00h], dh
                                                                                                                                                pop edx
                                                                                                                                                add byte ptr [edi+00h], dl
                                                                                                                                                jo 00007F89C48A04C2h
                                                                                                                                                imul eax, dword ptr [eax], 5Ah
                                                                                                                                                add byte ptr [ebp+00h], ch
                                                                                                                                                jo 00007F89C48A04C2h
                                                                                                                                                je 00007F89C48A04C2h
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                push edi
                                                                                                                                                add byte ptr [eax+eax+77h], dh
                                                                                                                                                add byte ptr [ecx+00h], bl
                                                                                                                                                xor al, byte ptr [eax]
                                                                                                                                                xor eax, 63007300h
                                                                                                                                                add byte ptr [edi+00h], al
                                                                                                                                                push esi
                                                                                                                                                add byte ptr [ecx+00h], ch
                                                                                                                                                popad
                                                                                                                                                add byte ptr [edx], dh
                                                                                                                                                add byte ptr [eax+00h], bh
                                                                                                                                                je 00007F89C48A04C2h
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                insd
                                                                                                                                                add byte ptr [eax+eax+76h], dh
                                                                                                                                                add byte ptr [edx+00h], bl
                                                                                                                                                push edi
                                                                                                                                                add byte ptr [ecx], bh
                                                                                                                                                add byte ptr [eax+00h], dh
                                                                                                                                                popad
                                                                                                                                                add byte ptr [edi+00h], al
                                                                                                                                                cmp dword ptr [eax], eax
                                                                                                                                                insd
                                                                                                                                                add byte ptr [edx+00h], bl
                                                                                                                                                push edi
                                                                                                                                                add byte ptr [esi+00h], cl
                                                                                                                                                cmp byte ptr [eax], al
                                                                                                                                                push esi
                                                                                                                                                add byte ptr [eax+00h], cl
                                                                                                                                                dec edx
                                                                                                                                                add byte ptr [esi+00h], dh
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                insd
                                                                                                                                                add byte ptr [eax+00h], bh
                                                                                                                                                jo 00007F89C48A04C2h
                                                                                                                                                bound eax, dword ptr [eax]
                                                                                                                                                insd
                                                                                                                                                add byte ptr [ebx+00h], dh

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2b95c0x4f.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9d4.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x2b9400x1c.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x20000x2e9940x2ec0064c48738b5efa1379746874c338807d5False0.4696168950534759data6.205450376900145IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0x320000x1c9d40x1cc005b3e8f48de8a05507379330b3cf331a7False0.23725373641304348data2.6063301335912525IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .reloc0x500000xc0x400f921873e0b7f3fe3399366376917ef43False0.025390625data0.05390218305374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                Resources

                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                RT_ICON0x321a00x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                                                                                                                                                RT_ICON0x35eb40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                                                                                                                                                RT_ICON0x466ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                                                                                                                                                RT_ICON0x4a9240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                                                                                                                                                RT_ICON0x4cedc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                                                                                                                                                RT_ICON0x4df940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                                                                                                                                                RT_GROUP_ICON0x4e40c0x5adata0.7666666666666667
                                                                                                                                                RT_VERSION0x4e4780x35adata0.4417249417249417
                                                                                                                                                RT_MANIFEST0x4e7e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                Network Behavior

                                                                                                                                                Snort IDS Alerts

                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                04/24/24-15:47:05.454523TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)263049730103.113.70.99192.168.2.4
                                                                                                                                                04/24/24-15:46:59.850722TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497302630192.168.2.4103.113.70.99
                                                                                                                                                04/24/24-15:47:12.612545TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497302630192.168.2.4103.113.70.99
                                                                                                                                                04/24/24-15:47:00.136127TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response263049730103.113.70.99192.168.2.4

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Apr 24, 2024 15:46:59.352811098 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:46:59.577049971 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:46:59.577178955 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:46:59.586038113 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:46:59.819228888 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:46:59.850722075 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:00.136126995 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:00.181437016 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:05.196752071 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:05.454523087 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:05.454585075 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:05.454623938 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:05.454647064 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:05.454663992 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:05.454705954 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:05.454714060 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:05.509505987 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:05.582541943 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:05.803514004 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:05.805932999 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:06.026566982 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:06.030518055 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:06.254336119 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:06.265039921 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:06.510746002 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:06.539109945 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:06.762192965 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:06.775660992 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:06.997937918 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:07.004307032 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:07.226130962 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:07.227189064 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:07.448270082 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:07.493918896 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:07.925017118 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:08.146441936 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:08.147512913 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:08.149936914 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:08.392267942 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:08.395495892 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:08.622766018 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:08.666784048 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:08.671780109 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:08.934048891 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:08.934125900 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:08.966082096 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:09.009702921 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:09.053858995 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:09.305725098 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:09.353313923 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:09.395673990 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:09.631314993 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:09.631366968 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:09.631500959 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:09.853120089 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:09.853176117 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:09.853252888 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:09.853260994 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:09.853379965 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:09.865434885 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:09.865525007 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.119535923 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.119596958 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.119631052 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.119635105 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.119669914 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.119842052 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.119868040 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.119874954 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.119981050 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.120068073 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.120429039 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.339989901 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.340187073 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.340275049 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.340497971 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.340584040 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.340646029 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.340786934 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.340873957 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.341497898 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.343919992 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.343955040 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.343991995 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344026089 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344058990 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344090939 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344139099 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344168901 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344202042 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344233990 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344264984 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344296932 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344329119 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344361067 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344393015 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344424009 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344455957 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344486952 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344523907 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344556093 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.344850063 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.344971895 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.560831070 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.560890913 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.560925007 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.560957909 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.561132908 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.561167002 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.561314106 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.561347961 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.561429024 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.561520100 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.561553955 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.561633110 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.561666965 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.561769962 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.561912060 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.561945915 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.562020063 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.562120914 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.562164068 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.562410116 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.562443018 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.562499046 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.562717915 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.564858913 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.564892054 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.565001965 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.565119028 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.565176010 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.565259933 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.565320015 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.565341949 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.565469980 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.565850019 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.565964937 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.566081047 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.566200018 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.566317081 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.566780090 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.566899061 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.566931963 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.568227053 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.568773985 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.568806887 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.569082022 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.569227934 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.785350084 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.785459995 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.785669088 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.785845995 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.786243916 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.786413908 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.786566973 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.786864996 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.787259102 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.787331104 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.787609100 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.787652016 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.787825108 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.787841082 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.787962914 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.788130045 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.788247108 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.788310051 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.788408995 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.788606882 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.788680077 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.788870096 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.789297104 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.789483070 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.789688110 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.789917946 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.790128946 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.790174007 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.790273905 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.790330887 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.790616989 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.790735006 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.790913105 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.791007042 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.791789055 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.791896105 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.792037010 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.792383909 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.792398930 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.792520046 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.792629004 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.792818069 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.792872906 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.793025970 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.793081999 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.793174028 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.793277025 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.793478966 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.793577909 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.793661118 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.793816090 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.793870926 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.793983936 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:10.794189930 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:10.794265032 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:11.016529083 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.016607046 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.016643047 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.016690969 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.016722918 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.016753912 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.016784906 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.016814947 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.016845942 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.016947031 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.017122984 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.017153978 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.017271996 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:11.017352104 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.017362118 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:11.017498016 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.017618895 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.017693043 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.017875910 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:11.238559008 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.238622904 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.238657951 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.238689899 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.238722086 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.238785982 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.238821030 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.238854885 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.238888025 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.238920927 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.248711109 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.248770952 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.270646095 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.270703077 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.273401976 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.273492098 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.273525953 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.288080931 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.337712049 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:11.411231995 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:11.639050961 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.642729998 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:11.867563963 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:11.872126102 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:12.093640089 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:12.094240904 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:12.134684086 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:12.150032997 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:12.380660057 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:12.380779028 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:12.382107973 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:12.382582903 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:12.611669064 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:12.612545013 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:12.847691059 CEST263049730103.113.70.99192.168.2.4
                                                                                                                                                Apr 24, 2024 15:47:12.907407999 CEST497302630192.168.2.4103.113.70.99
                                                                                                                                                Apr 24, 2024 15:47:13.136121035 CEST497302630192.168.2.4103.113.70.99

                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:0
                                                                                                                                                Start time:15:46:57
                                                                                                                                                Start date:24/04/2024
                                                                                                                                                Path:C:\Users\user\Desktop\K2xdxHSWJK.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\K2xdxHSWJK.exe"
                                                                                                                                                Imagebase:0x670000
                                                                                                                                                File size:313'439 bytes
                                                                                                                                                MD5 hash:0244C540D99D3C8507BDC73D5B4646A3
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1661330299.0000000000672000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1813158732.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1813158732.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:8.6%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                  Total number of Nodes:95
                                                                                                                                                  Total number of Limit Nodes:8
                                                                                                                                                  execution_graph 40823 ecd01c 40824 ecd034 40823->40824 40825 ecd08e 40824->40825 40828 4f60ad4 40824->40828 40837 4f62c08 40824->40837 40829 4f60adf 40828->40829 40830 4f62c79 40829->40830 40832 4f62c69 40829->40832 40862 4f60bfc 40830->40862 40846 4f62da0 40832->40846 40851 4f62d90 40832->40851 40856 4f62e6c 40832->40856 40833 4f62c77 40833->40833 40838 4f62c45 40837->40838 40839 4f62c79 40838->40839 40841 4f62c69 40838->40841 40840 4f60bfc CallWindowProcW 40839->40840 40842 4f62c77 40840->40842 40843 4f62da0 CallWindowProcW 40841->40843 40844 4f62d90 CallWindowProcW 40841->40844 40845 4f62e6c CallWindowProcW 40841->40845 40842->40842 40843->40842 40844->40842 40845->40842 40847 4f62db4 40846->40847 40866 4f62e58 40847->40866 40869 4f62e48 40847->40869 40848 4f62e40 40848->40833 40853 4f62db4 40851->40853 40852 4f62e40 40852->40833 40854 4f62e58 CallWindowProcW 40853->40854 40855 4f62e48 CallWindowProcW 40853->40855 40854->40852 40855->40852 40857 4f62e2a 40856->40857 40858 4f62e7a 40856->40858 40860 4f62e58 CallWindowProcW 40857->40860 40861 4f62e48 CallWindowProcW 40857->40861 40859 4f62e40 40859->40833 40860->40859 40861->40859 40863 4f60c07 40862->40863 40864 4f6435a CallWindowProcW 40863->40864 40865 4f64309 40863->40865 40864->40865 40865->40833 40867 4f62e69 40866->40867 40872 4f642a0 40866->40872 40867->40848 40870 4f62e69 40869->40870 40871 4f642a0 CallWindowProcW 40869->40871 40870->40848 40871->40870 40873 4f60bfc CallWindowProcW 40872->40873 40874 4f642aa 40873->40874 40874->40867 40755 27cd0b8 40756 27cd0fe 40755->40756 40760 27cd298 40756->40760 40763 27cd289 40756->40763 40757 27cd1eb 40766 27cc9a0 40760->40766 40764 27cd2c6 40763->40764 40765 27cc9a0 DuplicateHandle 40763->40765 40764->40757 40765->40764 40767 27cd300 DuplicateHandle 40766->40767 40768 27cd2c6 40767->40768 40768->40757 40769 27cad38 40770 27cad3c 40769->40770 40774 27cae30 40770->40774 40782 27cae20 40770->40782 40771 27cad47 40775 27cae34 40774->40775 40776 27cae64 40775->40776 40790 27cb0c8 40775->40790 40794 27cb0b8 40775->40794 40776->40771 40777 27cae5c 40777->40776 40778 27cb068 GetModuleHandleW 40777->40778 40779 27cb095 40778->40779 40779->40771 40783 27cae34 40782->40783 40784 27cae64 40783->40784 40788 27cb0c8 LoadLibraryExW 40783->40788 40789 27cb0b8 LoadLibraryExW 40783->40789 40784->40771 40785 27cae5c 40785->40784 40786 27cb068 GetModuleHandleW 40785->40786 40787 27cb095 40786->40787 40787->40771 40788->40785 40789->40785 40791 27cb0dc 40790->40791 40792 27cb101 40791->40792 40798 27ca870 40791->40798 40792->40777 40795 27cb0dc 40794->40795 40796 27cb101 40795->40796 40797 27ca870 LoadLibraryExW 40795->40797 40796->40777 40797->40796 40799 27cb2a8 LoadLibraryExW 40798->40799 40801 27cb321 40799->40801 40801->40792 40802 27c4668 40803 27c4684 40802->40803 40804 27c4696 40803->40804 40806 27c47a0 40803->40806 40807 27c47c5 40806->40807 40811 27c48b0 40807->40811 40815 27c48a1 40807->40815 40813 27c48d7 40811->40813 40812 27c49b4 40812->40812 40813->40812 40819 27c4248 40813->40819 40816 27c48b0 40815->40816 40817 27c49b4 40816->40817 40818 27c4248 CreateActCtxA 40816->40818 40818->40817 40820 27c5940 CreateActCtxA 40819->40820 40822 27c5a03 40820->40822

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 04F66948 Relevance: .5, Instructions: 499COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1829360749.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_4f60000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9125e537064f3e3fa6ef02e68b279b7343a7af98569476fcf203b4f188880477
                                                                                                                                                  • Instruction ID: bca59630ef908e54b5b3e90aba49d200cb01b6572c1d2eaa1e290e6dcd5e03df
                                                                                                                                                  • Opcode Fuzzy Hash: 9125e537064f3e3fa6ef02e68b279b7343a7af98569476fcf203b4f188880477
                                                                                                                                                  • Instruction Fuzzy Hash: 6E22E075901228DFDB65DF64C954BD9BBB2FF8A300F0090E9D109AB2A1DB35AE85DF40
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BA3D8 Relevance: .3, Instructions: 298COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 89aca41ff8abbe482e30d2b01facad0bb52ef0a99c381cf12a4ce60d3568ded0
                                                                                                                                                  • Instruction ID: 46ebcf0204a3e163c32c7ddd42b5c521f97b0ebad57628629d59af484722dce6
                                                                                                                                                  • Opcode Fuzzy Hash: 89aca41ff8abbe482e30d2b01facad0bb52ef0a99c381cf12a4ce60d3568ded0
                                                                                                                                                  • Instruction Fuzzy Hash: 43D1F534D00219CFCB28EFB4D854A9DBBB2FF8A305F5091A9D50AAB355DB319986CF11
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BA3E8 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2e331a6a515c49ddb597bb087dcb933d521d318fd3c1e8228effe368bb98a168
                                                                                                                                                  • Instruction ID: 3d4a8a8aa79c2114adeff7a6fa477ac6cf862fccd010d6adf89fcffb93f1f2ba
                                                                                                                                                  • Opcode Fuzzy Hash: 2e331a6a515c49ddb597bb087dcb933d521d318fd3c1e8228effe368bb98a168
                                                                                                                                                  • Instruction Fuzzy Hash: 27D1E434D00219CFCB28EFB4D854A9DBBB2FF8A305F5091A9D50AAB354DB319986CF11
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 04F67C20 Relevance: .3, Instructions: 279COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1829360749.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_4f60000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3ed6667eeff0a76ae4b5c791a6b4d5f98aa56016cc2fc5209b1fcc78ede5c0a7
                                                                                                                                                  • Instruction ID: 192021c27db11dca98f90f372ecf27302a50fc9244c6f0e33e841e33abbc09d9
                                                                                                                                                  • Opcode Fuzzy Hash: 3ed6667eeff0a76ae4b5c791a6b4d5f98aa56016cc2fc5209b1fcc78ede5c0a7
                                                                                                                                                  • Instruction Fuzzy Hash: D2C19274E01218CFDB14DFA9D980A9DBBB2FF89304F14D5A9D409AB359DB30A986CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 04F65A43 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1829360749.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_4f60000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3bf1f22f2119240ed216ae6807c992636d2fc9c82a9e6e3b4502cc853a868911
                                                                                                                                                  • Instruction ID: f5e959be3484803a654c30b348ec42be8c33f3f451403fc4175c1aa7a8db0174
                                                                                                                                                  • Opcode Fuzzy Hash: 3bf1f22f2119240ed216ae6807c992636d2fc9c82a9e6e3b4502cc853a868911
                                                                                                                                                  • Instruction Fuzzy Hash: 4D612835E00319DFDB05EFA0D9949DEBBF6BF89304B245169D406BB264EB30AD46CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 04F67C12 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1829360749.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_4f60000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9752cee76aeb6e679030089b42594ba838fe0af536f7a060de9d20345d47039c
                                                                                                                                                  • Instruction ID: d3966a0e183cd316aa2fed1d639e1a0b958f11d577790e9d19e92f030cab94fd
                                                                                                                                                  • Opcode Fuzzy Hash: 9752cee76aeb6e679030089b42594ba838fe0af536f7a060de9d20345d47039c
                                                                                                                                                  • Instruction Fuzzy Hash: 2F51C975E00218CFEB18DFA6D94179EBBB7BFC8304F14C0699419AB369EB3159468F50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062A1298 Relevance: 10.2, Strings: 8, Instructions: 196COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 294 62a1298-62a12af 296 62a12b1-62a12b7 294->296 297 62a12c7-62a12e9 294->297 298 62a12bb-62a12bd 296->298 299 62a12b9 296->299 302 62a12ec-62a12f0 297->302 298->297 299->297 303 62a12f9-62a12fe 302->303 304 62a12f2-62a12f7 302->304 305 62a1304-62a1307 303->305 304->305 306 62a14f8-62a1500 305->306 307 62a130d-62a1322 305->307 307->302 309 62a1324 307->309 310 62a132b-62a1350 309->310 311 62a1498-62a14b9 309->311 312 62a13e0-62a1405 309->312 324 62a1352-62a1354 310->324 325 62a1356-62a135a 310->325 318 62a14bf-62a14f3 311->318 322 62a140b-62a140f 312->322 323 62a1407-62a1409 312->323 318->302 328 62a1430-62a1453 322->328 329 62a1411-62a142e 322->329 327 62a146d-62a1493 323->327 330 62a13b8-62a13db 324->330 331 62a137b-62a139e 325->331 332 62a135c-62a1379 325->332 327->302 348 62a146b 328->348 349 62a1455-62a145b 328->349 329->327 330->302 346 62a13a0-62a13a6 331->346 347 62a13b6 331->347 332->330 352 62a13aa-62a13ac 346->352 353 62a13a8 346->353 347->330 348->327 350 62a145f-62a1461 349->350 351 62a145d 349->351 350->348 351->348 352->347 353->347
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830179206.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62a0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                                                                                                                  • API String ID: 0-1078448309
                                                                                                                                                  • Opcode ID: cbf0abd5b20a8309a22663dd9d8640c9b4d8bda73a74dbc4cc4df8974e1925b6
                                                                                                                                                  • Instruction ID: 0dbd1bde85704c96016dec24292c64c6ab3c9df10140a9266008e8c24e7d72d4
                                                                                                                                                  • Opcode Fuzzy Hash: cbf0abd5b20a8309a22663dd9d8640c9b4d8bda73a74dbc4cc4df8974e1925b6
                                                                                                                                                  • Instruction Fuzzy Hash: 2E61F7307203159FD7589EA9C848A3A7BE7BF88714F148419EA02CB7A6CFB5DC51C791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062A1582 Relevance: 7.8, Strings: 6, Instructions: 334COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 354 62a1582-62a1584 355 62a158e 354->355 356 62a1598-62a15af 355->356 357 62a15b5-62a15b7 356->357 358 62a15b9-62a15bf 357->358 359 62a15cf-62a15f1 357->359 360 62a15c3-62a15c5 358->360 361 62a15c1 358->361 364 62a1638-62a163f 359->364 360->359 361->359 365 62a1571-62a1580 364->365 366 62a1645-62a1747 364->366 365->354 369 62a15f3-62a15f7 365->369 370 62a15f9-62a1604 369->370 371 62a1606 369->371 373 62a160b-62a160e 370->373 371->373 373->366 376 62a1610-62a1614 373->376 377 62a1623 376->377 378 62a1616-62a1621 376->378 379 62a1625-62a1627 377->379 378->379 381 62a174a-62a17a7 379->381 382 62a162d-62a1637 379->382 389 62a17a9-62a17af 381->389 390 62a17bf-62a17e1 381->390 382->364 391 62a17b3-62a17b5 389->391 392 62a17b1 389->392 395 62a17e4-62a17e8 390->395 391->390 392->390 396 62a17ea-62a17ef 395->396 397 62a17f1-62a17f6 395->397 398 62a17fc-62a17ff 396->398 397->398 399 62a1abf-62a1ac7 398->399 400 62a1805-62a181a 398->400 400->395 402 62a181c 400->402 403 62a18d8-62a198b 402->403 404 62a1823-62a18d3 402->404 405 62a1990-62a19bd 402->405 406 62a1a07-62a1a2c 402->406 403->395 404->395 426 62a19c3-62a19cd 405->426 427 62a1b36-62a1b73 405->427 421 62a1a2e-62a1a30 406->421 422 62a1a32-62a1a36 406->422 428 62a1a94-62a1aba 421->428 429 62a1a38-62a1a55 422->429 430 62a1a57-62a1a7a 422->430 431 62a19d3-62a1a02 426->431 432 62a1b00-62a1b2f 426->432 428->395 429->428 449 62a1a7c-62a1a82 430->449 450 62a1a92 430->450 431->395 432->427 452 62a1a86-62a1a88 449->452 453 62a1a84 449->453 450->428 452->450 453->450
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830179206.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62a0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                                                                                                                                  • API String ID: 0-1342094364
                                                                                                                                                  • Opcode ID: abb94024e56a1cd09606b54d288ca01560806611c9d04d9305b1a1739c461331
                                                                                                                                                  • Instruction ID: 85736ba42effcd2eca520193b76ac146448e83cad9627a6594ad13dc5c102810
                                                                                                                                                  • Opcode Fuzzy Hash: abb94024e56a1cd09606b54d288ca01560806611c9d04d9305b1a1739c461331
                                                                                                                                                  • Instruction Fuzzy Hash: F6C1E3347103059FDB559BA8C858A2ABBE7EF89310F148469E902CF3A2DFB5DC15C791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 027CAE30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 457 27cae30-27cae3f 459 27cae6b-27cae6f 457->459 460 27cae41-27cae4e call 27c9838 457->460 462 27cae71-27cae7b 459->462 463 27cae83-27caec4 459->463 466 27cae64 460->466 467 27cae50 460->467 462->463 469 27caec6-27caece 463->469 470 27caed1-27caedf 463->470 466->459 515 27cae56 call 27cb0c8 467->515 516 27cae56 call 27cb0b8 467->516 469->470 471 27caee1-27caee6 470->471 472 27caf03-27caf05 470->472 474 27caee8-27caeef call 27ca814 471->474 475 27caef1 471->475 477 27caf08-27caf0f 472->477 473 27cae5c-27cae5e 473->466 476 27cafa0-27cafb7 473->476 479 27caef3-27caf01 474->479 475->479 491 27cafb9-27cb018 476->491 480 27caf1c-27caf23 477->480 481 27caf11-27caf19 477->481 479->477 482 27caf25-27caf2d 480->482 483 27caf30-27caf39 call 27ca824 480->483 481->480 482->483 489 27caf3b-27caf43 483->489 490 27caf46-27caf4b 483->490 489->490 492 27caf4d-27caf54 490->492 493 27caf69-27caf76 490->493 509 27cb01a-27cb060 491->509 492->493 494 27caf56-27caf66 call 27ca834 call 27ca844 492->494 500 27caf78-27caf96 493->500 501 27caf99-27caf9f 493->501 494->493 500->501 510 27cb068-27cb093 GetModuleHandleW 509->510 511 27cb062-27cb065 509->511 512 27cb09c-27cb0b0 510->512 513 27cb095-27cb09b 510->513 511->510 513->512 515->473 516->473
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 027CB086
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1812804821.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_27c0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID: 0V$0V
                                                                                                                                                  • API String ID: 4139908857-4216712621
                                                                                                                                                  • Opcode ID: af8bccb7a1e0e8c8b38b53c9fdb93c41cf25c3ab3955672e6a5bfa088b2e5abd
                                                                                                                                                  • Instruction ID: 068af4de7ee62beb40176f98f7bebb609579bed605f49eac47196065efa27507
                                                                                                                                                  • Opcode Fuzzy Hash: af8bccb7a1e0e8c8b38b53c9fdb93c41cf25c3ab3955672e6a5bfa088b2e5abd
                                                                                                                                                  • Instruction Fuzzy Hash: D57103B0A00B098FD724DF3AD14579ABBF1FF88315F10892DE48A97A50D775E94ACB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062A1295 Relevance: 2.6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 570 62a1295-62a12af 572 62a12b1-62a12b7 570->572 573 62a12c7-62a12e9 570->573 574 62a12bb-62a12bd 572->574 575 62a12b9 572->575 578 62a12ec-62a12f0 573->578 574->573 575->573 579 62a12f9-62a12fe 578->579 580 62a12f2-62a12f7 578->580 581 62a1304-62a1307 579->581 580->581 582 62a14f8-62a1500 581->582 583 62a130d-62a1322 581->583 583->578 585 62a1324 583->585 586 62a132b-62a1350 585->586 587 62a1498 585->587 588 62a13e0-62a1405 585->588 600 62a1352-62a1354 586->600 601 62a1356-62a135a 586->601 590 62a14a2-62a14b9 587->590 598 62a140b-62a140f 588->598 599 62a1407-62a1409 588->599 594 62a14bf-62a14f3 590->594 594->578 604 62a1430-62a1453 598->604 605 62a1411-62a142e 598->605 603 62a146d-62a1493 599->603 606 62a13b8-62a13db 600->606 607 62a137b-62a139e 601->607 608 62a135c-62a1379 601->608 603->578 624 62a146b 604->624 625 62a1455-62a145b 604->625 605->603 606->578 622 62a13a0-62a13a6 607->622 623 62a13b6 607->623 608->606 628 62a13aa-62a13ac 622->628 629 62a13a8 622->629 623->606 624->603 626 62a145f-62a1461 625->626 627 62a145d 625->627 626->624 627->624 628->623 629->623
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830179206.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62a0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $kq$$kq
                                                                                                                                                  • API String ID: 0-3550614674
                                                                                                                                                  • Opcode ID: e37f12e4c9b05595c04eea90ae37fe2603bf605a956d1bded3020d6faa4dca62
                                                                                                                                                  • Instruction ID: fad1ae40f34c7c88e68871f1e43fd9acbba914cf558e50af5434934b63309240
                                                                                                                                                  • Opcode Fuzzy Hash: e37f12e4c9b05595c04eea90ae37fe2603bf605a956d1bded3020d6faa4dca62
                                                                                                                                                  • Instruction Fuzzy Hash: 1741F030750311AFE7849AA8C858B2A3AEBAFC9714F104429EB02CB7E1CEF5DC11C791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 027C5935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 683 27c5935-27c593b 684 27c5944-27c5a01 CreateActCtxA 683->684 686 27c5a0a-27c5a64 684->686 687 27c5a03-27c5a09 684->687 694 27c5a66-27c5a69 686->694 695 27c5a73-27c5a77 686->695 687->686 694->695 696 27c5a88 695->696 697 27c5a79-27c5a85 695->697 699 27c5a89 696->699 697->696 699->699
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 027C59F1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1812804821.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_27c0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: e6ee41f52487d5f7a41050a5b3ccdfe9b7054d79bbf7a77cbda802f75387d769
                                                                                                                                                  • Instruction ID: e8b1e50859e12ca53a92e0e78cf676835d6c9e8eca9f27ed73ab3517c2dacc8f
                                                                                                                                                  • Opcode Fuzzy Hash: e6ee41f52487d5f7a41050a5b3ccdfe9b7054d79bbf7a77cbda802f75387d769
                                                                                                                                                  • Instruction Fuzzy Hash: 6D41E3B0D00619CFDB14DFAAC98479DBBB5BF44304F64815AD408BB254DB756989CF90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 04F60BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 700 4f60bfc-4f642fc 703 4f64302-4f64307 700->703 704 4f643ac-4f643cc call 4f60ad4 700->704 705 4f6435a-4f64392 CallWindowProcW 703->705 706 4f64309-4f64340 703->706 712 4f643cf-4f643dc 704->712 708 4f64394-4f6439a 705->708 709 4f6439b-4f643aa 705->709 714 4f64342-4f64348 706->714 715 4f64349-4f64358 706->715 708->709 709->712 714->715 715->712
                                                                                                                                                  APIs
                                                                                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F64381
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1829360749.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_4f60000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CallProcWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2714655100-0
                                                                                                                                                  • Opcode ID: cb805fb6c0b5ed166868aa0fbb5956ec00df2a48b9f709d6c1d14abfa606cda9
                                                                                                                                                  • Instruction ID: 0ebca8afd85c73a170dfb05f2b48e96ec79dbbfd6af0c0c90710978698028b49
                                                                                                                                                  • Opcode Fuzzy Hash: cb805fb6c0b5ed166868aa0fbb5956ec00df2a48b9f709d6c1d14abfa606cda9
                                                                                                                                                  • Instruction Fuzzy Hash: 494138B4A00205DFDB14DF9AC449AAABBF5FF88314F24C558E519AB321D334A841CBA4
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 027C4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 717 27c4248-27c5a01 CreateActCtxA 720 27c5a0a-27c5a64 717->720 721 27c5a03-27c5a09 717->721 728 27c5a66-27c5a69 720->728 729 27c5a73-27c5a77 720->729 721->720 728->729 730 27c5a88 729->730 731 27c5a79-27c5a85 729->731 733 27c5a89 730->733 731->730 733->733
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 027C59F1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1812804821.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_27c0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: a98a266982c5f505608e2764629bc515284a55a553a343f9047c66e9bdfd1606
                                                                                                                                                  • Instruction ID: f6bd60ce3de17058e365a25e5de30280f62b5caeb2746f75e21b55c3b1c8bddb
                                                                                                                                                  • Opcode Fuzzy Hash: a98a266982c5f505608e2764629bc515284a55a553a343f9047c66e9bdfd1606
                                                                                                                                                  • Instruction Fuzzy Hash: BE41E2B0D00619CBDB24CFAAC884B9DBBB5FF48304F6080AAD408BB255DB756949CF94
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 027CC9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 734 27cc9a0-27cd394 DuplicateHandle 736 27cd39d-27cd3ba 734->736 737 27cd396-27cd39c 734->737 737->736
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027CD2C6,?,?,?,?,?), ref: 027CD387
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1812804821.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_27c0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: 039d353c1df0998826da2bf166d2e747175797cc312ed4f3488a320d9844267b
                                                                                                                                                  • Instruction ID: b0b0936331251e4b6bc660fd5935bb329d2bf61f55bbd715f3377f9ed9eb0726
                                                                                                                                                  • Opcode Fuzzy Hash: 039d353c1df0998826da2bf166d2e747175797cc312ed4f3488a320d9844267b
                                                                                                                                                  • Instruction Fuzzy Hash: F621E6B5900218DFDB10CFAAD984AEEBFF4EB48310F24802AE914B7310D374A950CFA4
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 027CD2F9 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 740 27cd2f9-27cd394 DuplicateHandle 741 27cd39d-27cd3ba 740->741 742 27cd396-27cd39c 740->742 742->741
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027CD2C6,?,?,?,?,?), ref: 027CD387
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1812804821.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_27c0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: 1f04b4a4e48c6fb53ae3d7a010dce2bcefd54ee973fce99ad179d62a91755207
                                                                                                                                                  • Instruction ID: ffa0a49cd15ad547211146c1d34a22ff440cd88afcedff81a6658159ec35cb52
                                                                                                                                                  • Opcode Fuzzy Hash: 1f04b4a4e48c6fb53ae3d7a010dce2bcefd54ee973fce99ad179d62a91755207
                                                                                                                                                  • Instruction Fuzzy Hash: 7721E4B5D00258DFDB10CFAAD584ADEBFF5EB48314F24802AE918A7310D374A950CFA4
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 027CB2A0 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 745 27cb2a0-27cb2e8 746 27cb2ea-27cb2ed 745->746 747 27cb2f0-27cb31f LoadLibraryExW 745->747 746->747 748 27cb328-27cb345 747->748 749 27cb321-27cb327 747->749 749->748
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,027CB101,00000800,00000000,00000000), ref: 027CB312
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1812804821.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_27c0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: ac3fd1134c836755653fa62e40ae4987754b00e2586f131a87621913f5ce70df
                                                                                                                                                  • Instruction ID: 59511a540b247a984717f7db3bada6532845da670ea079fc64737eb9b46fc707
                                                                                                                                                  • Opcode Fuzzy Hash: ac3fd1134c836755653fa62e40ae4987754b00e2586f131a87621913f5ce70df
                                                                                                                                                  • Instruction Fuzzy Hash: 881126B6D002598FDB10CFAAD484ADEFBF4EB48324F10842EE819A7610C379A545CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 027CA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,027CB101,00000800,00000000,00000000), ref: 027CB312
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1812804821.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_27c0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: da86ce842fd58567a8af3e9348dffcd31506b6758d7da421c047db351992143d
                                                                                                                                                  • Instruction ID: 06cfe3d5aaa78a0233618edf4f580004321bdc0b0c8c24030682c456c306e975
                                                                                                                                                  • Opcode Fuzzy Hash: da86ce842fd58567a8af3e9348dffcd31506b6758d7da421c047db351992143d
                                                                                                                                                  • Instruction Fuzzy Hash: 2B1114B69003499FDB10CFAAC445ADEFBF4EB48314F20842EE919A7210C375A545CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 027CB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 027CB086
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1812804821.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_27c0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: 9850e8de586632402faedeed8f21d4476c284fe990516f1a73953143a56fdfaa
                                                                                                                                                  • Instruction ID: 63433b8e7b33c695ceea1d52a16b258c41783f5d002154cd546ba547fe2592e5
                                                                                                                                                  • Opcode Fuzzy Hash: 9850e8de586632402faedeed8f21d4476c284fe990516f1a73953143a56fdfaa
                                                                                                                                                  • Instruction Fuzzy Hash: 7C11C0B5D003498BCB10DFAAD444A9EFBF4AB49324F20846ED469A7210D375A545CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B59D8 Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: d
                                                                                                                                                  • API String ID: 0-2564639436
                                                                                                                                                  • Opcode ID: 012600ec1659836243aa80ae5090cbcb41c1666b915c9c51637f8a30b0eea5e3
                                                                                                                                                  • Instruction ID: 5bb0bfd778484d63948f7193f94a9381ff803f82ddeed482a1599e9e5f921ecf
                                                                                                                                                  • Opcode Fuzzy Hash: 012600ec1659836243aa80ae5090cbcb41c1666b915c9c51637f8a30b0eea5e3
                                                                                                                                                  • Instruction Fuzzy Hash: 02C16B34610602CFC754CF28C5809AABBF2FF89350B1AD959D85AAF6A5D730FC46CB94
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B3F50 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $kq
                                                                                                                                                  • API String ID: 0-3037731980
                                                                                                                                                  • Opcode ID: bc414d3f102dbd967007174d9c7cf66af118259b83860f48d21233cf2195a022
                                                                                                                                                  • Instruction ID: d9f17d2e41a7e89120a74eadd021fa84a570a1ad317d3fa472c56943ee514768
                                                                                                                                                  • Opcode Fuzzy Hash: bc414d3f102dbd967007174d9c7cf66af118259b83860f48d21233cf2195a022
                                                                                                                                                  • Instruction Fuzzy Hash: 54A13A34F202168FCB54DB69C5846AEBBF6FF88740B289569E905E735ADB30DC41CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B84D8 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4'kq
                                                                                                                                                  • API String ID: 0-3255046985
                                                                                                                                                  • Opcode ID: fae41e64387c904ebeea96558520255365f92ac74b3bcdc281ed85f003e7b3d3
                                                                                                                                                  • Instruction ID: 272c3ee0d87f6cb9f13ce8ee1e7dcfb9faeb6f124eb44f1c69f5c9db0435b524
                                                                                                                                                  • Opcode Fuzzy Hash: fae41e64387c904ebeea96558520255365f92ac74b3bcdc281ed85f003e7b3d3
                                                                                                                                                  • Instruction Fuzzy Hash: 16317C357102058BDB19BBB9A4A06AF7BE7EFC8211750843DD50ADB394EE35DD0287D2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B84C8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4'kq
                                                                                                                                                  • API String ID: 0-3255046985
                                                                                                                                                  • Opcode ID: 1a595d1daee3519bc714f017ae5b1437858674f0f0a119e16d6c3bd4aff9d685
                                                                                                                                                  • Instruction ID: f3815748f16d6cb47862887c125b0f4d83439e5db90a316e497cc8c1ebaecd25
                                                                                                                                                  • Opcode Fuzzy Hash: 1a595d1daee3519bc714f017ae5b1437858674f0f0a119e16d6c3bd4aff9d685
                                                                                                                                                  • Instruction Fuzzy Hash: BE2191347102058BDB19BB7895A067E3AE7AFC8211714487DD50BDB395EE38DD0687D2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BB2D9 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4'kq
                                                                                                                                                  • API String ID: 0-3255046985
                                                                                                                                                  • Opcode ID: 25e85707f0a4bea1e0d70adb0bf47e4d6bbd9ad986fb111d15fbb7ba9a59a20e
                                                                                                                                                  • Instruction ID: f22c1bc9db8c653297fbbee2d2dded918678b56a5a67a6432530560f4b4d5128
                                                                                                                                                  • Opcode Fuzzy Hash: 25e85707f0a4bea1e0d70adb0bf47e4d6bbd9ad986fb111d15fbb7ba9a59a20e
                                                                                                                                                  • Instruction Fuzzy Hash: 1711E33090A2459FCF01EBB8D95159C7FB2FF46300B1484D9D445DB356DA306E4ACB11
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BB358 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4'kq
                                                                                                                                                  • API String ID: 0-3255046985
                                                                                                                                                  • Opcode ID: 04221e6fdb836514ff1a81eeb3eacc0662ed32334de344834dd121695c6b9515
                                                                                                                                                  • Instruction ID: e06775593d418090ce38a1002dced88ac17f254287a3cf454042197ae3ab24b7
                                                                                                                                                  • Opcode Fuzzy Hash: 04221e6fdb836514ff1a81eeb3eacc0662ed32334de344834dd121695c6b9515
                                                                                                                                                  • Instruction Fuzzy Hash: B701B53090A249AFCB15EFB4E58419C7FB2FF45301B1044A9D446D7361DE305E49CB11
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B3EBB Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4'kq
                                                                                                                                                  • API String ID: 0-3255046985
                                                                                                                                                  • Opcode ID: 9f2ba1c3c2b76a62a9753f4c292822b2adb3e2bff1a4ff4a1b6b66a5e53d9d0d
                                                                                                                                                  • Instruction ID: 6314f35aafae3804a1696e1c25285458edd0736753ca02c6888c514680fb6722
                                                                                                                                                  • Opcode Fuzzy Hash: 9f2ba1c3c2b76a62a9753f4c292822b2adb3e2bff1a4ff4a1b6b66a5e53d9d0d
                                                                                                                                                  • Instruction Fuzzy Hash: 48F0C2713401009FC308E768E5917AE77E7EFC82007544928D0499B358EF24FD4A8790
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B3EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4'kq
                                                                                                                                                  • API String ID: 0-3255046985
                                                                                                                                                  • Opcode ID: ad2fea8d7e5e801a86a50b2f66d0ad0d802007dd0cb086cd3dcc7e55f7fc6a14
                                                                                                                                                  • Instruction ID: 73a32cbd331eed0f052d73ef3fb8430b0689c975687b288d05082c1f92e4f665
                                                                                                                                                  • Opcode Fuzzy Hash: ad2fea8d7e5e801a86a50b2f66d0ad0d802007dd0cb086cd3dcc7e55f7fc6a14
                                                                                                                                                  • Instruction Fuzzy Hash: CCF06D303402019F8218FB69E491AAF7BE7EBC9250354592CD05A9B368EF20FD4A87A1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BB368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4'kq
                                                                                                                                                  • API String ID: 0-3255046985
                                                                                                                                                  • Opcode ID: 9469ac91231f14c2bdfcc2a1d39cd253cda94066438d35cddf6731f4bb38dd62
                                                                                                                                                  • Instruction ID: abd45d166a39adc42c7e7b02aecd14deb174e1c608129eacbfdd6658625ee8b0
                                                                                                                                                  • Opcode Fuzzy Hash: 9469ac91231f14c2bdfcc2a1d39cd253cda94066438d35cddf6731f4bb38dd62
                                                                                                                                                  • Instruction Fuzzy Hash: 79F01974A06209AFCB14EFB8E58559DBBB2FB44301B5085A9D406E7354EB306E888B51
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062A2078 Relevance: 1.0, Instructions: 1034COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830179206.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62a0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 384e99ab5f9adc2a712cbf9fdcd4b6a487214684f3f90684bbc5d0663975aa88
                                                                                                                                                  • Instruction ID: 5c630ef97430f0f32b792fda13783fc4eaa4a9fc93f4fa2f90559e7b61b131a8
                                                                                                                                                  • Opcode Fuzzy Hash: 384e99ab5f9adc2a712cbf9fdcd4b6a487214684f3f90684bbc5d0663975aa88
                                                                                                                                                  • Instruction Fuzzy Hash: 13925170A402189FDB559F64CD50BEEB7B2FF88700F108099E506AB3A5DB71AE81DF91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062A00D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830179206.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62a0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8c659ce8b8802b020aa017ef3e53567d764d81c986d464bbc06f8bc300f8b280
                                                                                                                                                  • Instruction ID: dc408bba4afaceac931e5f0cbe32dc8204d5ffac7d7916a2f548019ae302ef64
                                                                                                                                                  • Opcode Fuzzy Hash: 8c659ce8b8802b020aa017ef3e53567d764d81c986d464bbc06f8bc300f8b280
                                                                                                                                                  • Instruction Fuzzy Hash: A54276347507198FCB64AF78945066EBBF2FBC5704B00495CD502AB3A5CFBAED068B89
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062A1FA0 Relevance: .7, Instructions: 652COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830179206.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62a0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: fc7423ee68cc97ab51e808513689c3f3bfcda3d4f21d11d2d912cdeef6c861db
                                                                                                                                                  • Instruction ID: 8dcfc20640a29298f0fecbb17b8168fce7439eeb05d990c107cb0a7bfae54a60
                                                                                                                                                  • Opcode Fuzzy Hash: fc7423ee68cc97ab51e808513689c3f3bfcda3d4f21d11d2d912cdeef6c861db
                                                                                                                                                  • Instruction Fuzzy Hash: 7342A174B50218CFDB549B24C954EAE77B2FFC8704F108099E9065B3A6DBB1ED828F91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B48B8 Relevance: .5, Instructions: 462COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6fa96cd6d7314f8631037cf856f42ea1b49819f8431875d066b66930ed152d56
                                                                                                                                                  • Instruction ID: 4ca196cd588eae7ecea9e320351859d72fd4915dbb04c8d34d8b5bac43d0b991
                                                                                                                                                  • Opcode Fuzzy Hash: 6fa96cd6d7314f8631037cf856f42ea1b49819f8431875d066b66930ed152d56
                                                                                                                                                  • Instruction Fuzzy Hash: F6021834B106018FDB44EF29C594AAABBF2FF89344B1594A8E906DB376DB30EC45CB51
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062A3DE2 Relevance: .4, Instructions: 405COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830179206.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62a0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ede3c91b3d32e75190e98261bfc54513a657c0f8b312d48212d146f122f3ae29
                                                                                                                                                  • Instruction ID: fc7d682e540ab2dd85869c80d5252e802e01838bf43dd135bde2caf961d845e3
                                                                                                                                                  • Opcode Fuzzy Hash: ede3c91b3d32e75190e98261bfc54513a657c0f8b312d48212d146f122f3ae29
                                                                                                                                                  • Instruction Fuzzy Hash: 81F14634B402048FCB44DF69C984EADBBF6EF89704F14809AE506DB3A6DA71ED45CB50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062A00B9 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830179206.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62a0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2ca932012d9cc003275b7f9c13f0a8ff46991d6082a6299e673b275836864b9a
                                                                                                                                                  • Instruction ID: 2b2b9ede7b143cf3a2533f27bfc6f193af28d8de19237d5047a1eddbbd6ae4f5
                                                                                                                                                  • Opcode Fuzzy Hash: 2ca932012d9cc003275b7f9c13f0a8ff46991d6082a6299e673b275836864b9a
                                                                                                                                                  • Instruction Fuzzy Hash: 56C17F34B103059FEB449B68C858B7A7BB6FF99708F108055EA029B3A1CFB5DD42CB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062A0666 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830179206.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62a0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5fe9edc7637a8cde3212f53b5a9e677d8620ff21c0e6c6ac57fe5b748cd7bb3a
                                                                                                                                                  • Instruction ID: 6d34475045f7c338985783d835a8e36ffef3b08f3222b4d5048b11f2f7052196
                                                                                                                                                  • Opcode Fuzzy Hash: 5fe9edc7637a8cde3212f53b5a9e677d8620ff21c0e6c6ac57fe5b748cd7bb3a
                                                                                                                                                  • Instruction Fuzzy Hash: 0EB18034B603059FEB849B64C858B797BB6FB99708F108055EA029B3E1CFB5DD42CB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062A06DE Relevance: .3, Instructions: 307COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830179206.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62a0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 24503b82476ccb56d8023976b6c1bdd530d01db9549f4728620095d0d7f75947
                                                                                                                                                  • Instruction ID: a0c3f650b28c82bdb472b0ae86b844073759b54fec37291f4f719539d90f12c0
                                                                                                                                                  • Opcode Fuzzy Hash: 24503b82476ccb56d8023976b6c1bdd530d01db9549f4728620095d0d7f75947
                                                                                                                                                  • Instruction Fuzzy Hash: 5FB17034B603059FEB449B64C858B797BB6FB99708F108055EA029B3E1CFB5DD42CB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062A05EE Relevance: .3, Instructions: 306COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830179206.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62a0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f961b0cab1cc3beddd5bb39df00f88caa04c519a875ee21c02c3c346f30fe80d
                                                                                                                                                  • Instruction ID: 94cbd4638371fb281d5835292a1c38c7ccd541503c853ab15774c0c7ad85dc4e
                                                                                                                                                  • Opcode Fuzzy Hash: f961b0cab1cc3beddd5bb39df00f88caa04c519a875ee21c02c3c346f30fe80d
                                                                                                                                                  • Instruction Fuzzy Hash: CEB18F34B603059FEB449B64C858B797BB6FB99708F108055EA029B3E1CFB5ED42CB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B48B3 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 268162b37f255b66c082fe8652225ceec96f86d9a0b727fa5d1a0cd396610f99
                                                                                                                                                  • Instruction ID: c41fa97a4cf3accc40d214c89b802ab379c150c66a5d5e4a90d28bff8015309d
                                                                                                                                                  • Opcode Fuzzy Hash: 268162b37f255b66c082fe8652225ceec96f86d9a0b727fa5d1a0cd396610f99
                                                                                                                                                  • Instruction Fuzzy Hash: 0CB13834B106058FCB54EF79D588AAABBF2FF88304B1540A8E946DB366DB30EC05CB50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B48AB Relevance: .2, Instructions: 242COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e064c34435b22814e40acee29df32e19caba35ab3fbb7cef627fc784986d9ee0
                                                                                                                                                  • Instruction ID: e240bd235785c8bba2c762edcb030813e7298b30fd4f9c8dd8d98f12eebfe092
                                                                                                                                                  • Opcode Fuzzy Hash: e064c34435b22814e40acee29df32e19caba35ab3fbb7cef627fc784986d9ee0
                                                                                                                                                  • Instruction Fuzzy Hash: 16A12734B106058FCB54EF79D598A9ABBF2FF88305B1580A8E546DB3A6DB30EC45CB50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B7D58 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0417155924c6a6bb65d18ae17d5f820e1d2df34c0c063a04f35b9ad1b3be8005
                                                                                                                                                  • Instruction ID: b983cc89676876085ba8b6d6edc162ee8a5b5ebf74ba048d797e5162c7843c95
                                                                                                                                                  • Opcode Fuzzy Hash: 0417155924c6a6bb65d18ae17d5f820e1d2df34c0c063a04f35b9ad1b3be8005
                                                                                                                                                  • Instruction Fuzzy Hash: E4511471E10219CFDB55CFA9D884BDEBBB6EF88350F248429E815AB254DB749941CF80
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B7D4F Relevance: .1, Instructions: 127COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a2b27f86e737a1251a341c82fa371d987ce47c2eee450f88f473eb3bfc810646
                                                                                                                                                  • Instruction ID: d44da4799c556f14e8554fef64025c679c86410dfbd6c6ead2a16d10734cbb5e
                                                                                                                                                  • Opcode Fuzzy Hash: a2b27f86e737a1251a341c82fa371d987ce47c2eee450f88f473eb3bfc810646
                                                                                                                                                  • Instruction Fuzzy Hash: 265125B0E10219CFDB55CFA9C985BDDBBF5EF88340F148429E815AB294DB749841CF80
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B59D3 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9f7b665bb453ccb4d2f1255a118aa824d2de96f3d76b1ea9c3028d34ca8cb322
                                                                                                                                                  • Instruction ID: 87b73c4e09d5c8f15ec6133e79af1ad734f338e92e938b8e8747130c27da574b
                                                                                                                                                  • Opcode Fuzzy Hash: 9f7b665bb453ccb4d2f1255a118aa824d2de96f3d76b1ea9c3028d34ca8cb322
                                                                                                                                                  • Instruction Fuzzy Hash: AB417835A10606CFCB50CF59C8809AABBF2FF89350B19C999E959AB361D730F841CF94
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B5583 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7174730a18eb6cbee78b859be8b999735223b42db6e2de2dae8095d2b010060a
                                                                                                                                                  • Instruction ID: e438a099f9c13cb5042ba832d329440c503d9f699a53859b128f46e972d4d0b9
                                                                                                                                                  • Opcode Fuzzy Hash: 7174730a18eb6cbee78b859be8b999735223b42db6e2de2dae8095d2b010060a
                                                                                                                                                  • Instruction Fuzzy Hash: 0C315335B102119FCB45DF78D884AAEBFB2FF89344B408469E8069B365DB30ED05CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B5588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f5e990699cd6ed01fdb0c81948b45faa14a4972d23d003219a70ee963878d2b3
                                                                                                                                                  • Instruction ID: 7948a32a7b66dc06326edc7317637e2e168e01d8615d8d344f6cf73021c72a16
                                                                                                                                                  • Opcode Fuzzy Hash: f5e990699cd6ed01fdb0c81948b45faa14a4972d23d003219a70ee963878d2b3
                                                                                                                                                  • Instruction Fuzzy Hash: EF314235B102119FCB55DF78D884AAEBFB2FF89344B408469E9068B369DB31ED05CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B87A0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 00ba3f21bace7d5214fafe4b2e42992970d823b6838c5a30e5b1eff18f60bb1a
                                                                                                                                                  • Instruction ID: 00e1bbf12fcbe569630bf3052ee386def9b4cda9bfe899d1ac577671685f56c7
                                                                                                                                                  • Opcode Fuzzy Hash: 00ba3f21bace7d5214fafe4b2e42992970d823b6838c5a30e5b1eff18f60bb1a
                                                                                                                                                  • Instruction Fuzzy Hash: 504113B1D1120CDFDB14DFAAD980ADEBBB6EF88350F10802AD819B7254DB34A945CF90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062A10D0 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830179206.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62a0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3c74d7738022b5eaa352f2a987dec09b15552fac5b3ced9683f5570085e6473b
                                                                                                                                                  • Instruction ID: d178a58287b2c6a9f7528c28ff1f6b840fef6e40d684fca7517fb6b8536a57bc
                                                                                                                                                  • Opcode Fuzzy Hash: 3c74d7738022b5eaa352f2a987dec09b15552fac5b3ced9683f5570085e6473b
                                                                                                                                                  • Instruction Fuzzy Hash: 5831D630B282518FDB558B68C818B7A7BF6DF95320F14845AD816CB3A2CEB4CC15C791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B4E28 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 656f47062aaa0a4b3625e70e9e229640b8521b14f8840c0e6a5e5b3d51211f4f
                                                                                                                                                  • Instruction ID: 3f512488c06ac933c5f759714cf5604488649615ecca7ce380a53329ee8b5cc2
                                                                                                                                                  • Opcode Fuzzy Hash: 656f47062aaa0a4b3625e70e9e229640b8521b14f8840c0e6a5e5b3d51211f4f
                                                                                                                                                  • Instruction Fuzzy Hash: 5B21E3326007418FCB65DA79C88479FBFE6EFC4394F148929E84A8735ADA30D945CBE0
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B8795 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d04c97eb614e72c5f54321bb98517a9938bc66205350fe67ce62f491007330a8
                                                                                                                                                  • Instruction ID: 0e152654eb0352df67ae107b2c50145486220d11f6c4d827dd38c669763bdbf8
                                                                                                                                                  • Opcode Fuzzy Hash: d04c97eb614e72c5f54321bb98517a9938bc66205350fe67ce62f491007330a8
                                                                                                                                                  • Instruction Fuzzy Hash: DC31F0B1D1120C9FDB14DFAAC984BDEBBBAAF48340F24802AD419B6254DB359945CF50
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062A360B Relevance: .1, Instructions: 78COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830179206.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62a0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 458de062893b208f43ea8cfa86981d5ad4668c9f60e1e0fec4a67241d4e75ba7
                                                                                                                                                  • Instruction ID: e4987037fddee24938a9931a94596d368c6dab2d4fe21b17e65b3583c9262b21
                                                                                                                                                  • Opcode Fuzzy Hash: 458de062893b208f43ea8cfa86981d5ad4668c9f60e1e0fec4a67241d4e75ba7
                                                                                                                                                  • Instruction Fuzzy Hash: B8215A35B50105AFCB54DF69C984EAABBB2EF8C714F1580A9EA05DB3A5DA31EC05CB10
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B8A98 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 09659816843646d7eb357db3412c58cd3d0d50dfda1458d8a5cbf858e0ee3773
                                                                                                                                                  • Instruction ID: 2c14c82998bc93127d1babdc116175c3aa76c00d0cbcfecc6d43452b42af8cd8
                                                                                                                                                  • Opcode Fuzzy Hash: 09659816843646d7eb357db3412c58cd3d0d50dfda1458d8a5cbf858e0ee3773
                                                                                                                                                  • Instruction Fuzzy Hash: 573101B1D11218DFCF14DFA9D894ADEBBB9EF48350F24802AE809A7240D774A841CB94
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00EBD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1811818787.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_ebd000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: df4943974d7d780822569b51463e4f9e54c7a5eff1bc3167219abb438dd1f2b8
                                                                                                                                                  • Instruction ID: ca1da9ea2b3744866d0e49625da0b222f635497857c470b8d0544ef1d3569918
                                                                                                                                                  • Opcode Fuzzy Hash: df4943974d7d780822569b51463e4f9e54c7a5eff1bc3167219abb438dd1f2b8
                                                                                                                                                  • Instruction Fuzzy Hash: 39216A71108204DFCB05DF04CDC0B97BF65FB94324F20C569D9095B256D336E856C7A2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00ECD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1811945026.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_ecd000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bd7c3e0a6624bc2ba89386852103b2718c36f64f27164584422dfd329a74fdb3
                                                                                                                                                  • Instruction ID: 7446f4f53d7b0fe3d51f6691657911bc563cb54e737fb7d1940442c01771d386
                                                                                                                                                  • Opcode Fuzzy Hash: bd7c3e0a6624bc2ba89386852103b2718c36f64f27164584422dfd329a74fdb3
                                                                                                                                                  • Instruction Fuzzy Hash: 6421D071608200DFCB14DF18DA85F26BBA6EB84318F20C57DD84A5B296C33BD847CA61
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00ECD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1811945026.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_ecd000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b8aedd7cbeab677774652dee1086b2ed8164674e36b38308e414e1189880379d
                                                                                                                                                  • Instruction ID: a186f1e2dcfa1b23b04973e168f98cbe4d715498ec9d81f49ecbe47b42b09b0c
                                                                                                                                                  • Opcode Fuzzy Hash: b8aedd7cbeab677774652dee1086b2ed8164674e36b38308e414e1189880379d
                                                                                                                                                  • Instruction Fuzzy Hash: FA2141755093809FD712CF24D994B15BF71EB46214F28C5EAD8498B6A7C33B980BCB62
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B8A8F Relevance: .1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ae0447e72203b1130d1e92b1b7a0427537ea6ffd426167f3c46f305ad9aa7595
                                                                                                                                                  • Instruction ID: 4ef493e7a7e8693ac68c6f9f0cd872fdb67d2126426c5c6075cd53fb54642fba
                                                                                                                                                  • Opcode Fuzzy Hash: ae0447e72203b1130d1e92b1b7a0427537ea6ffd426167f3c46f305ad9aa7595
                                                                                                                                                  • Instruction Fuzzy Hash: 75211EB1D11258DFDB14CFA9C994BDEBBF9AF08340F24842AE409EB240D778A941CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BBC5F Relevance: .1, Instructions: 59COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ed6e08c7d7283c5880439425fa7dfa9e34eff8cc53ae826b440d695108a7bc90
                                                                                                                                                  • Instruction ID: fd68d2feaf48268ae771421929d7a3d02df8851d10148277f432588886a864db
                                                                                                                                                  • Opcode Fuzzy Hash: ed6e08c7d7283c5880439425fa7dfa9e34eff8cc53ae826b440d695108a7bc90
                                                                                                                                                  • Instruction Fuzzy Hash: B611C2302152009FC785AB38A9555BE7BB3EEC2340B446D38E507D7A65DD20BD4A8791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00EBD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1811818787.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_ebd000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                  • Instruction ID: ba28517d009e19efe05632fac893084c1615bc2d615442c0594bc7bbc842a2dc
                                                                                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                  • Instruction Fuzzy Hash: AF112672404240CFCB12CF00D9C4B56BF71FB94328F24C6A9DD090B256C33AE85ACBA2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B67D8 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2137baad3253e250179911103c8b28b011a19278c544bda18abeea59440f9ef3
                                                                                                                                                  • Instruction ID: 91a4c2245f4cee1029fb65646933c269587df1d11ba80854d9ab49fa755a9fec
                                                                                                                                                  • Opcode Fuzzy Hash: 2137baad3253e250179911103c8b28b011a19278c544bda18abeea59440f9ef3
                                                                                                                                                  • Instruction Fuzzy Hash: 4D01CB31B143008FC3219B68E800F867FE4EB82360F058166F254CF6A2DBA1E84AC790
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B8350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: aaa4481d468d3840fe17282d11d223af071b8213e97f4da429f8d716c3424985
                                                                                                                                                  • Instruction ID: eb1cb6663b4bc1452408024b8ba104cf93e91a71800011580eee22899a6c6972
                                                                                                                                                  • Opcode Fuzzy Hash: aaa4481d468d3840fe17282d11d223af071b8213e97f4da429f8d716c3424985
                                                                                                                                                  • Instruction Fuzzy Hash: 3E017131B101199BDF14DAA9AC85AEFBBAEEB84251B148036E514D3240EB31A91587A1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BBC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d8d03d2b598c0cc9e7093de73b7e5aeea6ba41cfb591dc061303ec078c2655b4
                                                                                                                                                  • Instruction ID: 9ea89e69a3e2ac7fa70704a937198b88eee6b02d904d3bbec37162e22e08716e
                                                                                                                                                  • Opcode Fuzzy Hash: d8d03d2b598c0cc9e7093de73b7e5aeea6ba41cfb591dc061303ec078c2655b4
                                                                                                                                                  • Instruction Fuzzy Hash: 1301B1312001019F8684BB38E55956E7AF3EFC0250B94AC38E117D7754DD30BD8A8792
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BE8B0 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a7e8215543c5a32577fbd05a5c5f0b25a1203812ef4166991bd976343167895c
                                                                                                                                                  • Instruction ID: ee05ffbceb7dad54890603f3b864ff0ffbd67bd73388b1b165051a9d6e4b521a
                                                                                                                                                  • Opcode Fuzzy Hash: a7e8215543c5a32577fbd05a5c5f0b25a1203812ef4166991bd976343167895c
                                                                                                                                                  • Instruction Fuzzy Hash: 2701D6346183489FCB42DB78C8148A97FBAEF8634075488E9E944CB363EA32DD16D791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B5508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 02d594a72d5685cc73bc3c34f6c1d430dbfaadcb746a70c00fa4545f9218add4
                                                                                                                                                  • Instruction ID: 5a4d0a0ba01fc50b0d18693cecc8860b00da2aa164a0611551447a3e9a1fcf60
                                                                                                                                                  • Opcode Fuzzy Hash: 02d594a72d5685cc73bc3c34f6c1d430dbfaadcb746a70c00fa4545f9218add4
                                                                                                                                                  • Instruction Fuzzy Hash: B601D630A31302CFDBA98E35A5446A7B7F7FF8434A714983CD8439A614DAB1E480CBC4
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BC170 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8fda4ace2d680e8049381bd54f85ba8c1ea2119699544154c3e586da20a4ee52
                                                                                                                                                  • Instruction ID: 3cbea316b1d4f8c5815efada39e3c457f928be50700b8c12fddd7fdc4b507183
                                                                                                                                                  • Opcode Fuzzy Hash: 8fda4ace2d680e8049381bd54f85ba8c1ea2119699544154c3e586da20a4ee52
                                                                                                                                                  • Instruction Fuzzy Hash: 9C01F9755167019FC725DF25E4081A1BBF7FF49341700CA2AE58BC2611DB70A90BCF84
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B8F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5e1ca89c68d496a02369cd4384a88dd1333c34a8f44918fd113b9ba8eb880dc6
                                                                                                                                                  • Instruction ID: 30408e8156e1b9bfb2d3db6942dec105d9c1c4a252d38041a0fa05836f993dc6
                                                                                                                                                  • Opcode Fuzzy Hash: 5e1ca89c68d496a02369cd4384a88dd1333c34a8f44918fd113b9ba8eb880dc6
                                                                                                                                                  • Instruction Fuzzy Hash: 3E01C4B4D1421ADFDB44DFA9D9446EEBBF5FB48301F5090A99819A3350E7780A40CF90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BADE9 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6805c2f484020ab674a88ce094bde93f62b099836f4c2c40f69fc0fe40695e66
                                                                                                                                                  • Instruction ID: 7812646517a71ddc6508d0ff381a375bbf7db6585de9e74995c3d268893f2164
                                                                                                                                                  • Opcode Fuzzy Hash: 6805c2f484020ab674a88ce094bde93f62b099836f4c2c40f69fc0fe40695e66
                                                                                                                                                  • Instruction Fuzzy Hash: FBF0E231209242AFC3502B79B8586EFBFFADFCA311B44447DE50AC3243C97528498765
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BC110 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 915fe36c6f7e5ef83acc24d86c3ca174f0c7ad7ce54d1971eada827cea28af19
                                                                                                                                                  • Instruction ID: 8c7a09e88d37d177035f5cd547af3dbb5314a5d764439076ea56fb2168c011b5
                                                                                                                                                  • Opcode Fuzzy Hash: 915fe36c6f7e5ef83acc24d86c3ca174f0c7ad7ce54d1971eada827cea28af19
                                                                                                                                                  • Instruction Fuzzy Hash: C3F0FC302157D04FC752A738D9147AE7FF6DF82354B08457AD182DB253C6655C058B91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B6E9B Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: df766a4eb3b1ae9d5aec214ced4330e9288c38c029a5786f7074ce3a418f6fd6
                                                                                                                                                  • Instruction ID: 633972bc3adf2957a65bc22d5d6f430312586ba34d1f9de6f1488d5773e00355
                                                                                                                                                  • Opcode Fuzzy Hash: df766a4eb3b1ae9d5aec214ced4330e9288c38c029a5786f7074ce3a418f6fd6
                                                                                                                                                  • Instruction Fuzzy Hash: 03F082672081E83F8B114EAA5C10DFB3FEDDA8E165B084156FE98D2241C429C921ABB0
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B8F4B Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b6a85cf2a4b4a80862aed416403ab4750a6d41c428d9578fd10ee5e8314dde26
                                                                                                                                                  • Instruction ID: 168336ffa5e1af7909fc67822b59d0f20f4f07d22948f929bb395eb94502ee5d
                                                                                                                                                  • Opcode Fuzzy Hash: b6a85cf2a4b4a80862aed416403ab4750a6d41c428d9578fd10ee5e8314dde26
                                                                                                                                                  • Instruction Fuzzy Hash: C80116B4D1421ADFDB44DFA4D9456EEBBB5FB48300F1090A9A814B3350D7785A40CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B4E23 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: df4d0f62dc68f8c70fa81dc806eaff98bd79496247c6179b044c63a8de049316
                                                                                                                                                  • Instruction ID: f6a66c4f652636d51a90a886c37307715baf1d2f0780613ad5a0dea9bfb431a2
                                                                                                                                                  • Opcode Fuzzy Hash: df4d0f62dc68f8c70fa81dc806eaff98bd79496247c6179b044c63a8de049316
                                                                                                                                                  • Instruction Fuzzy Hash: 35F0B4366102469BCB61DE96C8C4AABBFE9EB843E1F088125FC098730BC630D944C6B0
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B6EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7ee5dd9cc3cb3de5935787fef10c36c1a554bb6c9e6c367b6032b9f075894635
                                                                                                                                                  • Instruction ID: 70b81c2f141f02ab9fa97dea3a265f015af43591a1bb328ac4f4354d9803bbdf
                                                                                                                                                  • Opcode Fuzzy Hash: 7ee5dd9cc3cb3de5935787fef10c36c1a554bb6c9e6c367b6032b9f075894635
                                                                                                                                                  • Instruction Fuzzy Hash: BBF037772081E83F8B515EAA5C10DFB7FEDDA8E165B084156FED8D2141C42DCD21ABB0
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BACB8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9ff450220f98a2baaaa254be31ea958931f689b7fd4621d40a0a7d12793494ab
                                                                                                                                                  • Instruction ID: d0e50af8f7619ff0b4e379cfb14bc1d4278d08386b134a82e9feecd0915d8f92
                                                                                                                                                  • Opcode Fuzzy Hash: 9ff450220f98a2baaaa254be31ea958931f689b7fd4621d40a0a7d12793494ab
                                                                                                                                                  • Instruction Fuzzy Hash: 33F09E713091611FC32317346C140FD7FB6D9C27D134880EED142C7252CA105506C3D2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B8FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 38958a977a4014694f612439a8ab029d5dfd5dfc756af38da52a070427526ab1
                                                                                                                                                  • Instruction ID: 0d0f85860336f9a0e807e3f1614684d530079f6cbf57fc9f1e09f9dfe6270c3c
                                                                                                                                                  • Opcode Fuzzy Hash: 38958a977a4014694f612439a8ab029d5dfd5dfc756af38da52a070427526ab1
                                                                                                                                                  • Instruction Fuzzy Hash: 79F0A9B4C18259DFDB00CBA0D8545EEBFB0EB6A341F4451A6EC1AE7361E2398A41CB40
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B67D3 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3b3beaa977abc45101fc23a335e31ccdd52b7b66f519829130750aa7f83738f8
                                                                                                                                                  • Instruction ID: 3180f13eacd8fdd674704654e57303f27203c307a53c89aca762e6d02f943061
                                                                                                                                                  • Opcode Fuzzy Hash: 3b3beaa977abc45101fc23a335e31ccdd52b7b66f519829130750aa7f83738f8
                                                                                                                                                  • Instruction Fuzzy Hash: 34F0A032B20301AFC7209A58EC45F967FE9EB857A4F18D225F614CB2E1D7B1E8099780
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B54F8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 88a4272fc2b80903736b88e53d0a2c5a32271b68f29d196a82ced1daca5057c4
                                                                                                                                                  • Instruction ID: f4b41aa37eb68b7bb7c3417d5c83f901c49b09908c46a47c5ecb21df4b52b3b7
                                                                                                                                                  • Opcode Fuzzy Hash: 88a4272fc2b80903736b88e53d0a2c5a32271b68f29d196a82ced1daca5057c4
                                                                                                                                                  • Instruction Fuzzy Hash: 24F05031920702CFD764CE61D5417ABBBF2FF80356F08946CD4425A915C7F5E484CB40
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BAC60 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 528666a66d680371fce13362cb38f741b67ac091af0bc963f3dce0bc94448a94
                                                                                                                                                  • Instruction ID: 4c6647bad0fe884bfb52907dc37c8b9f17214e53ffebd6fb0f500db99fb5b1f7
                                                                                                                                                  • Opcode Fuzzy Hash: 528666a66d680371fce13362cb38f741b67ac091af0bc963f3dce0bc94448a94
                                                                                                                                                  • Instruction Fuzzy Hash: 26F0A7712182E51FC6232B3858240FD7F76DFC266470850ABD686C7293CE141A45C7D6
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B834B Relevance: .0, Instructions: 29COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b52ef68190ff6ab6252660db4066224331ac180e9a05b1b91096fc7978d5c8ae
                                                                                                                                                  • Instruction ID: 6b2a027fc5940fde799a78043d4f74fd7a7bb04cac17e77ac0499779d103c310
                                                                                                                                                  • Opcode Fuzzy Hash: b52ef68190ff6ab6252660db4066224331ac180e9a05b1b91096fc7978d5c8ae
                                                                                                                                                  • Instruction Fuzzy Hash: 13E09B31F2011A5B5F54D9AD9C85AFFBBEDEAC42517084036E518D3200EB30D40187F0
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 70107a5b375374c1571652bda78e731935260ba4dd93f7a4f6415caa25e43fa8
                                                                                                                                                  • Instruction ID: d81bf26efc4089f77fbe964791a72516fd727ffec707cd2120efe4bda53a61e9
                                                                                                                                                  • Opcode Fuzzy Hash: 70107a5b375374c1571652bda78e731935260ba4dd93f7a4f6415caa25e43fa8
                                                                                                                                                  • Instruction Fuzzy Hash: 07E092312041116FC3202A6AA849A9FBAEAEFC9351B80843CF20ED3342CA75680547A5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BC180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 51f5e0cd40d64cbc69b7029fd91ba54cb07616e0ace775fc1e50e82f601f7fe5
                                                                                                                                                  • Instruction ID: 0ad26951275d5bbfd6fd2a5e6a83a8d5e2a48b333847ceb9d3da97dd62a74d86
                                                                                                                                                  • Opcode Fuzzy Hash: 51f5e0cd40d64cbc69b7029fd91ba54cb07616e0ace775fc1e50e82f601f7fe5
                                                                                                                                                  • Instruction Fuzzy Hash: DBF09034501B018FD725EF26E408552BBF6FB88315700CA2EE58BC2A10DB70A50ACF84
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BCE88 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1e64bf25f49e58e70ee36a71a8535a8763f07c074a7f7ae947767025de664f68
                                                                                                                                                  • Instruction ID: 8e07fbc3907ac067f86962f44a848b137c2bed27876d0eccf7dfbef26f65593b
                                                                                                                                                  • Opcode Fuzzy Hash: 1e64bf25f49e58e70ee36a71a8535a8763f07c074a7f7ae947767025de664f68
                                                                                                                                                  • Instruction Fuzzy Hash: BEF0E57161D380FFDB82A724E8826DE3BE0DF03320B111695DD4A9B62AE2B0D8018352
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BCC38 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: af6eefd234d9a7c4c41ba7b24cfbce3ea2f2bd667b5737141f1667df96ac5d0b
                                                                                                                                                  • Instruction ID: 593737ad242cc0e5b2dbb24d265a20ab47eea6a834cbabcccf968c82f0d20fc8
                                                                                                                                                  • Opcode Fuzzy Hash: af6eefd234d9a7c4c41ba7b24cfbce3ea2f2bd667b5737141f1667df96ac5d0b
                                                                                                                                                  • Instruction Fuzzy Hash: 5EE0D83232D2404FDB82EF3CF8015DE7BA0DB56760B249367D40ADB6A6F67088458797
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BB500 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 912296af5de5f727575d4314f2132ced0f47d7becc755b463754ed676192d0d1
                                                                                                                                                  • Instruction ID: 3c9ad2f06a838c2da238854b67d8c1f81bb1d63f5babe0f9a2be591654816a07
                                                                                                                                                  • Opcode Fuzzy Hash: 912296af5de5f727575d4314f2132ced0f47d7becc755b463754ed676192d0d1
                                                                                                                                                  • Instruction Fuzzy Hash: 3DF01E35D0120DAFCB41DFB4DA489CDBFBAEB48300F1082A6E809E3244EA305B558B81
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BC120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 69e156ca3656c4ad66c3766f9cce576e0c245d9b7605881febdd3b5215f0e341
                                                                                                                                                  • Instruction ID: bfe057c111979f12bb873ed1bc806f7cdad9593081986a6175fcd7b66014a7b2
                                                                                                                                                  • Opcode Fuzzy Hash: 69e156ca3656c4ad66c3766f9cce576e0c245d9b7605881febdd3b5215f0e341
                                                                                                                                                  • Instruction Fuzzy Hash: 47E0ED302047908FC321EB2DE5087AFBBF6DF85318F04482DE286C7702CBA1A8068B91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B56A3 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2ebaee89ef6db498749cb68ecbc33691d781934dd21bb25a2f395b1276d7fc6d
                                                                                                                                                  • Instruction ID: bc523ff426f7db2096857fcf28d7914472a2a500a827ffe51e9001d7f35212b2
                                                                                                                                                  • Opcode Fuzzy Hash: 2ebaee89ef6db498749cb68ecbc33691d781934dd21bb25a2f395b1276d7fc6d
                                                                                                                                                  • Instruction Fuzzy Hash: 8FE04FB311C2119FD340DE24E840997BBE8EB94220B11CC2DF444C7240E731E841C694
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BE280 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cc097ee40ea26ede0113c682033dbfbdd239c68ca2340f0754e6cc32763b2009
                                                                                                                                                  • Instruction ID: f18d0b2008a4b4bf49b5c444a943da5b6e2e8544588359d612e7bdfe2a2e2798
                                                                                                                                                  • Opcode Fuzzy Hash: cc097ee40ea26ede0113c682033dbfbdd239c68ca2340f0754e6cc32763b2009
                                                                                                                                                  • Instruction Fuzzy Hash: CCE0D83100D6005FD701F730FC415C537B1E745700B411595D8466F6AAD7749A49CBD6
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BE1FF Relevance: .0, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f550a312abc40986cf3fb97bbaff195621b3d1b9a76b5fed5c61aac07069c94e
                                                                                                                                                  • Instruction ID: aa57bb4c15cb98989ce5e33c1d310ff3e96280953188e3c4e43ec12afaeb1022
                                                                                                                                                  • Opcode Fuzzy Hash: f550a312abc40986cf3fb97bbaff195621b3d1b9a76b5fed5c61aac07069c94e
                                                                                                                                                  • Instruction Fuzzy Hash: 06E0DF71E49204FFCB01DB74A841AAE7BB1DB82200B2449EAE809E7291E6305F148B52
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BAC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 10652e4205be1419ea72f86cb17caccd71edac7685b5b2f0039460ce0d6ba73d
                                                                                                                                                  • Instruction ID: 5a1205f0f700fb4669323e45d482bf16054467411198b2aa1edf60bf4c994ef9
                                                                                                                                                  • Opcode Fuzzy Hash: 10652e4205be1419ea72f86cb17caccd71edac7685b5b2f0039460ce0d6ba73d
                                                                                                                                                  • Instruction Fuzzy Hash: 0FD05B313001265B86153769B4584AE77EBEBC5671704413DE707C3340DE656D4547D6
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BE8F8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f63f5ea561df94b3ec187226e3b349caa56c9f3429a5b66afc31b5bdbd26cae3
                                                                                                                                                  • Instruction ID: 147dfce87c3578cc9953b9d3e4edec8e0f9340950b04d5ba9af458427976a2f7
                                                                                                                                                  • Opcode Fuzzy Hash: f63f5ea561df94b3ec187226e3b349caa56c9f3429a5b66afc31b5bdbd26cae3
                                                                                                                                                  • Instruction Fuzzy Hash: 92E0EC391346489FCB829B58C8448D43F79EB5A6903869085E9848B163D662D825DB61
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BB510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 898794a79e5de21aad06278e022615ddd3b4c19489432bfa7fd19e4a922273de
                                                                                                                                                  • Instruction ID: fb37bf4026d43d8cceefbeb6237b7c0503ebe7ebfe5b01767ef6318af16578c5
                                                                                                                                                  • Opcode Fuzzy Hash: 898794a79e5de21aad06278e022615ddd3b4c19489432bfa7fd19e4a922273de
                                                                                                                                                  • Instruction Fuzzy Hash: 63E09275E0120CEFCB40DFE4E9448DDBBB9EB48200F1086AAD909E3200EB306B55DF80
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BE210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 67a661962b564aaf84730d088115af3762aa23391e008cdc97ac9996b6772a4a
                                                                                                                                                  • Instruction ID: 531cc5bb3c168b7265b4e9ef42f57a924aaa11cb848198b62030148abebcdf1b
                                                                                                                                                  • Opcode Fuzzy Hash: 67a661962b564aaf84730d088115af3762aa23391e008cdc97ac9996b6772a4a
                                                                                                                                                  • Instruction Fuzzy Hash: 3FD01771A05208FF8B40EFA8E90199EB7B9EB45214B2085A99509E7200EA316F009B92
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BF8EB Relevance: .0, Instructions: 14COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 14d6e4166d005c6af3045d6cfc3cde5c7ef23405ac39fce7a81ac80210a60211
                                                                                                                                                  • Instruction ID: 3384f1fc51b5e198f71ae4ba090d9140342bbede96daa984339f557871626709
                                                                                                                                                  • Opcode Fuzzy Hash: 14d6e4166d005c6af3045d6cfc3cde5c7ef23405ac39fce7a81ac80210a60211
                                                                                                                                                  • Instruction Fuzzy Hash: 25C012327040200B0284B66CB0210BE66F7C6C82A3385443AE60ED3348CD608C464382
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BDFD1 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2834ecfb648e87f95a8121179ff3e21def6d355be4d59820c3e629e901b30ded
                                                                                                                                                  • Instruction ID: 43c16a7b589a9c5d3548bf4f8c80600e070f0fa665fbecebf902878e21eb6aef
                                                                                                                                                  • Opcode Fuzzy Hash: 2834ecfb648e87f95a8121179ff3e21def6d355be4d59820c3e629e901b30ded
                                                                                                                                                  • Instruction Fuzzy Hash: F4C04C2554E6905ADB42177089099803E616F4363471554C6D6558E0A6D6110405C662
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B372B Relevance: .0, Instructions: 5COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 10dc8c742826a55b5b008deb8f81578eddc97dc299f8b3d187c8b49f00b2c431
                                                                                                                                                  • Instruction ID: 8619274494b7bfc76dc96354c40eb7279a376c0abeac9e164391ec888143a6ef
                                                                                                                                                  • Opcode Fuzzy Hash: 10dc8c742826a55b5b008deb8f81578eddc97dc299f8b3d187c8b49f00b2c431
                                                                                                                                                  • Instruction Fuzzy Hash: E3B0127B0001006AC700A690890AF467D21A758704F004408B345C1047C5B28410D791
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 062B6FEB Relevance: .8, Instructions: 783COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b0aa4d9cc49073536734b24d0fbe8387b96107927644f547402569df02d163e8
                                                                                                                                                  • Instruction ID: c5b1cb393d4cd48e169858a19415e2820fccfb2824cc9883684f51e860f49464
                                                                                                                                                  • Opcode Fuzzy Hash: b0aa4d9cc49073536734b24d0fbe8387b96107927644f547402569df02d163e8
                                                                                                                                                  • Instruction Fuzzy Hash: C66273B06042009FD748EF28D55975ABAE6EF84308F64C99CD00D9F396CBB7D94B8B91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B6FF8 Relevance: .8, Instructions: 780COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8911a1f6ce7fc84282f1350cfe0446dda09fd16a41b1a3055ce1d16699c0a7f2
                                                                                                                                                  • Instruction ID: 7d5fab66326488ae438f7d09cf2aa979e3f10df3ab2c98e2aeb236aae25ae28a
                                                                                                                                                  • Opcode Fuzzy Hash: 8911a1f6ce7fc84282f1350cfe0446dda09fd16a41b1a3055ce1d16699c0a7f2
                                                                                                                                                  • Instruction Fuzzy Hash: EC6272B06042009FD748EF28D55975ABAE6EF84308F64C99CD00D9F396CBB7D94B8B91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062B6868 Relevance: .4, Instructions: 361COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f27b1cf5740505b09090e13cfe83b113c1d5b1a318dddc113a2e7cf88274a868
                                                                                                                                                  • Instruction ID: 9befeaaaceb5aca50a9dc6745418c9c17fd83be623d656f8f8e48cada1f77e84
                                                                                                                                                  • Opcode Fuzzy Hash: f27b1cf5740505b09090e13cfe83b113c1d5b1a318dddc113a2e7cf88274a868
                                                                                                                                                  • Instruction Fuzzy Hash: 21E1A171A102199FCB04DF68D984BDEBBF2EF88340F149569E805AB2A1DB31ED45CB90
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 04F60040 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1829360749.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_4f60000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ff6ad1cd805d0c79c7cab433bfaddf381aa17e21eaf38166842e6b34ff32ed79
                                                                                                                                                  • Instruction ID: 7a05c4fbda459ae320f44fab01270e81671b4371d674b11cf66d512a15b3d793
                                                                                                                                                  • Opcode Fuzzy Hash: ff6ad1cd805d0c79c7cab433bfaddf381aa17e21eaf38166842e6b34ff32ed79
                                                                                                                                                  • Instruction Fuzzy Hash: 6012B4B0501746AAD352DF66E94C18B3BB2FB8131EB904749D2612B2E9D7BC194ACFC4
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 027CDC74 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1812804821.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_27c0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2e5d7c49f137a344391e6aa27742123ec4f68760d7d64a25fda9863da55c7a20
                                                                                                                                                  • Instruction ID: e3dc08b2966a5bc20b46e0a1e08167b82a0ce4c73e89542792521a6ee6f76611
                                                                                                                                                  • Opcode Fuzzy Hash: 2e5d7c49f137a344391e6aa27742123ec4f68760d7d64a25fda9863da55c7a20
                                                                                                                                                  • Instruction Fuzzy Hash: 90A14B32A002158FCF1ADFB5C88459EB7B3FF85300B25857EE905AB265DB75E945CB80
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 04F60007 Relevance: .2, Instructions: 244COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1829360749.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_4f60000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6f674fd28a34bd6354ee35e6766e21b47b012d8a9741aefc4f445b7d09714934
                                                                                                                                                  • Instruction ID: be0adca28f1c15e5f106674a06bf17526673293d91c7841f363cbbc8137e3c60
                                                                                                                                                  • Opcode Fuzzy Hash: 6f674fd28a34bd6354ee35e6766e21b47b012d8a9741aefc4f445b7d09714934
                                                                                                                                                  • Instruction Fuzzy Hash: B6C149B0801745AFD712DF26E94818B3BB2FB8131AF544749D1616B2E9DBBC188ACFC4
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 027C25D8 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1812804821.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_27c0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d4e201a72b9cd3e6954b7462ca93fe79a6a0ca096033f4e44e450d65cc33c2d7
                                                                                                                                                  • Instruction ID: 032b6c898ba1b1b62b205b29ed0505a948a22bfcd7706f0222deb04030517e9d
                                                                                                                                                  • Opcode Fuzzy Hash: d4e201a72b9cd3e6954b7462ca93fe79a6a0ca096033f4e44e450d65cc33c2d7
                                                                                                                                                  • Instruction Fuzzy Hash: A431295281DAD68BC3127E3F5CB80C26B60CD3B36C36553CEC8E4A65FBEA04445AD366
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 062BED10 Relevance: 7.9, Strings: 6, Instructions: 384COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1830204048.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_62b0000_K2xdxHSWJK.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (_kq$(_kq$(_kq$(_kq$(_kq$(_kq
                                                                                                                                                  • API String ID: 0-848523028
                                                                                                                                                  • Opcode ID: 9bdf2c438a4e2dbbf39d1efe30ac257e08535a49effb5312b93d9d1e0b64d04a
                                                                                                                                                  • Instruction ID: 68eb8f309aa421979c565b201b47e9c0e36292f33e6acf0d137e1097f0d9b037
                                                                                                                                                  • Opcode Fuzzy Hash: 9bdf2c438a4e2dbbf39d1efe30ac257e08535a49effb5312b93d9d1e0b64d04a
                                                                                                                                                  • Instruction Fuzzy Hash: BAE1E234B042449FCB45AF78C4145AE7FF6EF86350B2489AAED45DB382DA35DE02CB91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%